vsftpd: chroot_local_user causes GNU/TLS-error
Posted
by
akrosikam
on Ask Ubuntu
See other posts from Ask Ubuntu
or by akrosikam
Published on 2013-02-14T15:11:31Z
Indexed on
2013/06/29
22:28 UTC
Read the original article
Hit count: 526
Distro: Ubuntu 12.04.2 Server 32-bit
Server client: vsftpd 2.3.5 (from default "main" repository)
Problem: Since upgrading from Ubuntu 10.04 to Ubuntu 12.04 (nothing changed on client-side), vsftp has refused to make chroot-jails with the "chroot_local_user" directive on FTP(e/i)S-connections.
Here's my vsftpd.conf
:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
ftpd_banner=How are you gentlemen.
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
connect_from_port_20=YES
ftp_data_port=20
listen_port=21
pasv_enable=YES
pasv_promiscuous=NO
pasv_min_port=4242
pasv_max_port=4252
pasv_addr_resolve=YES
pasv_address=your.domain.com
ssl_enable=YES
allow_anon_ssl=NO
force_local_logins_ssl=YES
force_local_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/home/maw/ssl_ftp_test/vsftpd.pem
rsa_private_key_file=/home/maw/ssl_ftp_test/vsftpd.pem
debug_ssl=YES
log_ftp_protocol=YES
ssl_ciphers=HIGH
chroot_local_user=NO
How to reproduce:
- Have a working SSL/TLS-secured vsftpd-configuration (I suggest similar to the one above) ready.
- Try to connect with an FTP user client and upload some files. With my setup, the above listed config works well at this point.
- Edit
/etc/vsftpd.conf
and setchroot_local_user=
toYES
. Make sure thatchroot_list_enable=
and/orchroot_list_file=
are not set. Comment them out if they are. Save and exit. - Run
sudo restart vsftpd
(orsudo service vsftpd restart
if you like) in a terminal. - Try to connect with an FTP user client. You should see a message more or less like this:
GnuTLS error -15: An unexpected TLS packet was received.
This is an issue for me, as I do not want FTP-sessions to be able to list files outside the user's home folder.
I have checked with several client-side apps, and I get the same results with every one of them. Filezilla is not so good regarding cipher methods nowadays, but as I am able to make an FTP(e)s-connection over TLS (as long as chroot'ing is disabled and ssl_ciphers
is set to HIGH
) I have a feeling ciphers are not the issue this time, and that I won't find the answer by tweaking configs on the client side.
My vsftpd.log
stays empty, even though debug_ssl
and log_ftp_protocol
are enabled, so no info there either.
© Ask Ubuntu or respective owner